VoIP Security: Masquerading Data as RTP Media Stream
Students:
Masaaki Yana, Graduate, Information Technology and Management
Faculty:
Carol Davids Alva C. Todd Professor - Information Technology and Management
Project Advisory Council Sponsor
Ken Kousky - CEO, IP3 Inc.
Project:
Many breaches of data security are initiated from within the enterprise. This project researches the possibility of data theft by an employee using the RTP (Real-Time Transport Protocol) stream created by a SIP (Session Initiation Protocol) Application. The challenge was to use free internet available software and create an application that enables a person inside an enterprise firewall to send a data file masquerading as voice information in the RTP stream out through the firewall.
Outcome:
The application provides a "proof of concept" that this type of theft is possible. It is a "client-server" application. The "thief", located outside of the enterprise, uses a SIP phone running the client portion of the application to call a SIP phone internal to the enterprise. The internal SIP phone is running the server portion of the application, which the ?thief? has previously added to the internal phone. The altered code on the internal phone interleaves a specified internal document into the normal voice traffic in the RTP stream that the SIP phone creates. The client application, outside the enterprise, removes the pieces of the file from the RTP stream, reconstructs the file, and stores it on a designated computer.
To demonstrate the operation of the application the student identified a pdf file on the server side computer, demonstrated that it could be opened there, then telephoned that computer and talked with the SIP user there as the data was transferred. After disconnecting his call, he was able to open the file on the receiving computer and verify that it was the one he intended to steal.
The free software used to create this application includes the SIP User Agent, Sip-Communicator from JAIN-SIP, SIP Proxy Server from NIST-SIP, and the Eclipse IDE (Integrated Development Environment.)
This project was described by Professor Davids at SuperComm 2005 on June 7, 2005. It was presented and demonstrated by its student developer at the VoIP Student Colloquium organized jointly by Institute of Electrical and Electronics Engineers (IEEE) Communication Society Chicago Chapter and IIT?s Rice Campus on June 21, 2005, as part of an IEEE student colloquium.